(FORTUNE Magazine) – Jim Haney hopes to protect his company from the next big Internet virus attack, but he's not sure he can. "We've been lucky so far," says Whirlpool's chief security officer, "but our time is probably coming."

When Sobig swept the Net last month, Haney's $11-billion-a-year company was able to emerge from the worst Internet virus ever pretty much unscathed. Whirlpool's centralized approach to managing its 20,000 PCs and 800 servers worldwide enabled Haney and his staff to quickly isolate areas that were hit. Yet he knows that for every safeguard he puts in, hackers are hatching a dozen ways around it. It's their speed vs. Whirlpool's size, and he's worried. After Sobig he ramped up the installation of sophisticated software from IBM that automatically keeps all of Whirlpool's machines updated with the latest security protections. Getting the system running isn't simple, in part because many of Whirlpool's techies, who like doing one-on-one support of desktops, don't want it. But Haney has no time to argue. Like just about every big company in the world, Whirlpool has become hugely dependent on the Internet. About 95% of the company's sales pass through it in one way or another. That means outages are simply no longer acceptable.

As every computer user knows by now, the Internet is in trouble. Its almost miraculous ability to connect everyone to everything--the very quality that has made it essential to business--is also what enables hackers to create viruses that can go from zero to crippling in hours. One step down in threat level is spam, the Joker to e-mail's Batman. Merrill Lynch, the Washington Post Co., and other giants have found that roughly 60% of all e-mail their employees receive is unwanted, unpalatable, and often fraudulent--a costly waste of time. And increasingly the hackers and spammers are learning from each other. Sobig spread via e-mail; so did the ILOVEYOU virus. Sobig's ultimate purpose may be, in fact, to help disseminate spam even more effectively.

Consumers are being targeted too. Surf the web in a coffee shop, and chances are that whatever you do can be seen by any modestly capable hacker in the vicinity. As e-commerce becomes more and more mainstream, thieves are figuring out how to mimic sites and gain key personal information from would-be buyers. New Net irritants, like pop-up ads that have the ability to monitor surfing and appear on any site they like, threaten to make going online about as much fun as avoiding squeegee men.

It's not good for business if consumers lose patience. Surveys by Forrester Research find that confidence in online security has fallen significantly since its peak in 2000. Business will have to spend ever more to attract back lost customers. Says Haney: "If we can't keep ahead of the curve and we lose consumer confidence in using the Net for conducting business and communicating, that will rattle the whole environment."

Now here's a surprise: A growing group of influential technologists are arguing that the scourge of spam and the recent outbreaks of worms and viruses are good. Sobig, Blaster, and herbal Viagra are timely warnings, the reasoning goes: Such disruptions could be just the thing to spur businesses, individuals, and governments to strengthen and protect the Net. "These could be the actions of a terrorist, but they're not. There's nothing stopping a virus from destroying all your files once it's on your hard drive, yet viruses today don't usually do that," says Marc Andreessen, the web-browser pioneer and founder of enterprise-software maker Opsware. "But virus outbreaks will force the industry to make the hard changes that are required to make the Internet viable in the long run." IBM, which has largely automated the maintenance of its machines, was barely singed by Sobig. Still, the company is paying attention. Says IBM e-business-on-demand boss Irving Wladawsky-Berger: "I would put the viruses we've encountered so far more in the category of bumps in the road that get our attention."

But the attacks are helpful only if they prompt real change. "We're at a critical point where we have to make some decisions about who will control the Internet," says Donna Hoffman, co-director of the Sloan Center for Internet Retailing at Vanderbilt University and someone who has studied the web since its earliest days. That could mean new corporate and consumer practices and even federal and state regulation, she and other experts say. Whatever is decided, one thing is sure: How effectively business and government deal with viruses, spam, and other new threats will determine the future success of the Net.

THE SURGE IN VIRUSES

If there is one place taking an EKG of the Net, it is the CERT Coordination Center at Carnegie-Mellon University in Pittsburgh. CERT was set up in 1988 after the release of the first Internet worm brought 10% of the still tiny Net's computers to a halt. Since then, the group has kept track of the steadily growing threats to the Internet. In 1990 it counted 252 unique attacks on the Net. By last year that figure had grown to 82,094. Huge, but getting huger: In the first half of 2004, CERT tracked a whopping 74,000 incidents. A vast proportion of them are caused by smart kids fooling around--so far.

And the biggest weak spot happens to reside in the biggest company in technology: Microsoft. Computer scientists and hackers worldwide constantly bang and poke at Microsoft's operating systems and server and desktop applications, especially its ubiquitous Outlook e-mail program. They're finding vulnerabilities at the rate of more than two a month. As researchers identify and publish those flaws, Microsoft scrambles to write downloadable patches to its software. But while Microsoft may be quick with the fixes, installing them takes time, especially for large organizations. Most individual computer users, meanwhile, simply don't bother, creating the conditions for devastating attacks. The ten most damaging viruses ever unleashed all targeted Microsoft software, according to mi2g, a British security-research firm.

So let's all blame Microsoft, right? That's a commonly chanted refrain, but it's not exactly fair. Even some of Microsoft's biggest bashers agree. "It's a cheap shot to say Microsoft is at fault," says Mary Ann Davidson, chief security officer at Oracle. "Can they do better? Yes. But so can we."

No one doubts that Microsoft needs to improve the security of its products, but the main problem is its very success: Its software is on almost every desktop or laptop in the world and is also on a large percentage of the world's servers. Any hacker hoping to make a splash in the virus world is going to cannonball into that giant pool. "The motivation of a bad person to write a virus is not that different from the motivation of a software developer to write an application," says Microsoft security-business unit boss Mike Nash, simultaneously bragging and being defensive. "They want something that can run on the largest installed base."

Competitors, of course, argue that the cure is for customers to reduce their reliance on Microsoft. In software, they argue, diversity is strength. "It's like in the Irish potato famine," says Oracle's Davidson. "They only had one type of potato, and it was not resistant to the blight." IBM and others, meanwhile, have used the latest attack to promote the open-source Linux operating system, especially for use in the server infrastructure of organizations. But Linux is hardly hack-proof. Digital vandals gained entry to almost three times as many Linux servers in August as they did Windows, says mi2g.

As virus attacks have increased, Microsoft has stepped up efforts to hacker-proof its software. There are already signs that the efforts are paying off: Microsoft Office XP, the latest version of Office, was, as shipped, immune to Sobig. The virus attempts to implant and run a program inside Microsoft's e-mail client, Outlook, but Office XP restricts the ability to do so. The next version of Windows XP will be made with its default configuration set up to automatically consult Microsoft's website to download and install security patches, a service users have to jump through hoops to set up now.

Companies, meanwhile, are turning to automated software management tools from IBM, Computer Associates, BMC Software, and others to protect their enterprise infrastructure. The Internal Revenue Service was unaffected by the Blaster virus because as soon as the vulnerability was identified, it used inventorying and software-distribution tools from IBM's Tivoli subsidiary to automatically immunize some 70,000 computers. Ten IRS techies installed the patches in seven days, says IRS enterprise systems manager Jim Kennedy; without automation, the same task would have taken 1,200 people. Arvind Krishna, security boss for IBM's software division, puts great store in the ability of infotech to be self-healing: "Over the past 30 years IT automated a lot of manual processes--bill collection, inventory control, the flow of goods, etc. Now we have to automate IT itself."

If viruses are to be stopped, it's going to be technology that defeats the threat from technology.

THE FOULNESS OF SPAM

While working on this story, I received an e-mail titled "Dazzle in Snake Skin Thong Bikini" from LustyThreads.com. No big deal: Such trash e-mail is useless, if occasionally entertaining and easy to delete. But multiply that by the tens of millions of spam messages that get sent each day and you see how disturbing the problem of spam is (possibly even more disturbing than me in a snakeskin thong).

Spam is everywhere because it is a remarkably good business. The startup costs are low: A kit containing all the software a spammer needs is available for about $140, reports technology expert Ferris Research. An additional $70 gets you a list of 100 million e-mail addresses (most of them probably invalid). And the margins are high: A spammer working for, say, a porn site needs just 10,000 people to respond to a ten-million message campaign to reap between $1,000 and $10,000 in profit, depending on his commission. Sometimes even a click on a "remove me from this list" link counts as a response.

The cost to business, on the other hand, is enormous. A 10,000-employee company with no protection--a fair assumption considering that only about 3.5% of U.S. companies currently employ spam-fighting technology--can expect to lose about $1.1 million per year in decreased productivity, help-desk costs, and use of IT resources, calculates Ferris conservatively.

Throwing spammers in the slammer would seem the obvious solution. Almost all of them are breaking some law. A spammer sending porn to millions of names will certainly hit a few thousand children. That's a felony. Advertising prescription drugs without the required disclosures and disclaimers is illegal, as is selling drugs without a prescription. Sending repeated e-mail when a recipient asks you to stop is harassment. If a message claims the user signed up for a list but he didn't, that's fraud.

Yet the Federal Trade Commission, one government agency with the authority to target spammers, has been hard-pressed to act. Chairman Timothy Muris explains that spam senders are tough to find and prosecute. But some in the legitimate e-mail industry disagree. Andy Sernovitz, who founded the Association for Interactive Marketing in 1993 and who now runs e-mail consulting company Gaspedal.net, claims he's got the names of 200 spammers he's ready to hand over. "We know exactly who they are. We know their names, we know what they send, and we know who they send it to," he says. Told of Sernovitz's claims, Muris expresses skepticism but asks for contact info. "I'd love it if what he's saying turns out to be true," he says. Muris also says that some federal attorneys are talking about prosecuting spammers for sending porn to kids.

A big reason that legitimate e-mailers hope the FTC does move is that they want to head off legislators eager to respond to constituents' "spam rage." New York Senator Charles Schumer has introduced a bill to create a do-not-spam registry much like the FTC's hugely popular do-not-call list for phone marketers. But Muris and many others believe it's pointless to expect compliance from spammers. While Congress generally favors such opt-out approaches, opt-in plans that require marketers to show they have the active consent of recipients are tougher and more enforceable. The European Union will implement opt-in legislation for spam at the end of October. Italy has already imposed a law that sends to jail anyone caught sending e-mail without the consent of the recipient.

In addition to new government rules and controls, business needs to take a more active role in snaring the spam. Every company should install antispam technology. About 300 software companies now exist, most of them new, though even the leaders still hold only a tiny fraction of the potential market. Postini, a startup in Redwood City, Calif., is one of the largest antispam software companies; its customers include T. Rowe Price and Blockbuster, and it screens three billion e-mails a month. Says CEO Shinya Akamine: "When the spam rate was 15% of e-mail, CIOs weren't that worried about it. But when it crossed the 30% point around the middle of 2002, suddenly they got worried." Spam controls don't just block e-mail. If they work well enough, and enough companies and ISPs use them, they will make spamming unprofitable.

NEW THINGS TO DRIVE NET USERS MAD

Another foul-tasting version of spam is just now being uncanned: browser spam--pop-up advertisements that appear unexpectedly while you're surfing the web. The KaZaa music-sharing program comes bundled with software from a company called WhenU. One of several browser-spam products, WhenU's software silently watches where you go online. Land on sites containing certain keywords, and the software displays ads that attempt to divert your attention and steal your business. Stephen Messer, CEO of LinkShare, a clearinghouse for Internet marketers that send traffic to one another's sites, predicts that browser spam will get even worse, with pop-ups chasing other pop-ups and most likely turning even more consumers off to the web.

Of course, turning them off is one thing; ripping them off is another. In one fast-growing scam, so-called phisher frauds, criminals create authentic-looking websites that mimic established sites for e-commerce. The con artist then sends spam, ostensibly from the real company, asking the consumer to come to the site to authenticate personal information: mother's maiden name, Social Security number, account numbers, etc. Many consumers have been misled, companies like BestBuy and Citigroup have been burned, and online businesses are worried. "We're moving quickly to address it," says Howard Schmidt, chief information security officer for eBay. He says a new coalition organized by some of the biggest tech companies is looking at technology to help consumers identify spoofed sites and block the e-mail that leads there. A possible method would be a downloaded toolbar that helps consumers authenticate where they are online.

In fact, authentication is one of the biggest pushes by online watchdogs. Done properly, authentication--between users and sites, and vice versa--will allow surfers to be identified before taking actions online and also ensure that a site is what it says it is. A user could even eliminate spam by opting to receive e-mail only from people who have authenticated their identity. Jonathan Schwartz, Sun's software boss, is the apostle of authentication using smart cards, preferably those running Java software--a standard launched by Sun--to create online identities. Dell is moving to put Java Card readers in its PCs. Every employee of the Department of Defense has a Java Card or Java dog tag. Says Schwartz: "The feeding frenzy around the Internet was good theater, but let's get down to business. And authentication is the foundation of commerce."

To take back the Net, every legitimate constituency that uses it will have to bear responsibility. Corporations will have to swallow hard and accept that, on average, around 6% of their IT spending must go toward security. The figure is about 3% today, calculates Computer Economics, a tech research firm. The government will have to put measures in place to keep the Net's libertarian paradise safe for business, whether that means cracking down on spam or, as some suggest, mandating that people who connect to the Internet at broadband speeds employ firewall software. And the technology industry, even as it continues to improve its software and hardware weapons, will have to start spending heavily on user education. Too many users, especially consumers and small businesses, simply don't know how much they can be hurt and how much their inaction can potentially harm others in the event of a virus like Sobig. Schmidt of eBay says such educational campaigns are already being planned. Adds IBM's Wladawsky-Berger: "My feeling is that between major tech advances, market principles that tell advertisers not to do bad things, and government taking action on behalf of voters, we really will surmount these problems."

The author of Sobig may have finally given us the push we need to start taking those measures. So when we catch that virus creator we can thank him or her--just before the cell door shuts.

FEEDBACK dkirkpatrick@fortunemail.com